entry.picoevents.ch - Competition Registration ID check fails (#mvid7)

Document Title:
entry.picoevents.ch - Competition Registration ID check fails

mosi Vulnerability ID (mvid):

Discovery Status:
No Fix Necessary

CVSSv2 Overall Score:

CVSSv2 Vector:

Product & Service Introduction:
picoEvents provides an online registration and live result service to simplify the timekeeping in orienteering combined with SPORTident.

Simon Monai & Namo Flury found a vulnerability, whith whom it's possible enter registration information that is not expected as registration input.

Report Timeline:
2017-06-19 - Analysis of server attack requested by vendor
2017-06-19 - Vulnerability detected
2017-06-19 - Vendor informed
2017-08-14 - Vendor reminded
2017-08-15 - Vendor reply - no fix necessary
2017-08-30 - Public Disclosure

Affected Products:
entry.picoevents.ch - Multisport & Orienteering Competition Registration Form

Exploitation Technique:
Request Forgery

Security Level:

Technical Details & Description:
Request Method(s):
[+] GET

Vulnerable Module(s):
[+] http://picoevents.ch/entry/

Vulnerable File(s):
[+] /regist/anmeldung.php
[+] /regist/multisport/weiche_msp.php

Proof of Concept (PoC):
By opening the entry form of the Bepathlon through followin URL, it was possible to register as orienteering runner instead of a Bepathlon competitor:

Possible Solution:
Rewrite the PHP entry form to prevent that the wrong login form is loaded.

Security Risk:
This vulnerability is considered as medium. (CVSSv2 4.2)

Author / Credits:
mosi security research - Simon Monai (http://jongliertricks.ch/kontakt)
Baumer Electric AG - Namo Flury

Public Disclosure:
The vendor informed mosi security research, that there is already a mechanism to protect against such attacks an no fix is necessary.
2017-08-30 - https://jongliertricks.ch/mosi-security-research/41